0

I've encountered a security vulnerability in a website. The website is that of a leading brand in it's industry. There are user accounts etc. and this website is very popular.

I've contact multiple people from their development/IT team, but no reply (they've read the message).

Do I leave it as it is? Knowing that the public are potentially at risk by using a site that is less than secure?

Is this what filing a CVS/CVE issue is for? Or does that not fit into this at all and I should leave things as they are?

JᴀʏMᴇᴇ
  • 163
  • 6
  • 1
    Possible duplicate of [How does responsible disclosure work, once vendor says it's not a security bug?](https://security.stackexchange.com/questions/124736/how-does-responsible-disclosure-work-once-vendor-says-its-not-a-security-bug), [Where to publicly report a vulnerability, after developer ignores it?](https://security.stackexchange.com/questions/130961/where-to-publicly-report-a-vulnerability-after-developer-ignores-it) and several others. – Steffen Ullrich Aug 31 '18 at 10:54

2 Answers2

0

There is a couple of things you can do.

1) Do nothing

2) Tell the world

I would go with 1) - Reason for this is, you can get into serious trouble if you tell the world (Depending on what laws you have broken to get the knowledge, and you probably have broken some laws even if you think you have not), and still could just by telling the company, I have and a lot of others have too.

Simply not worth it most of the time.

Kim Vinberg
  • 1
  • 1
0

Yes you could simply do nothing but leaving the users at serious risk is (in my point of view) much more unethical than publishing it.

A good combination could be this: Contact the company (not the IT-Department, but their public relations office). As I assume your approach was legal there should be no problem in doing so. Give them a fixed amount of time and tell them in a nice but certain way that you think that there is a problem and will stick to responsible disclosure. You might think about something like 60 days before publication or something similar. That's most likely an approach every involved party can deal with.

Ben
  • 2,024
  • 8
  • 17